docs: add vercel taskmaster share site

This commit is contained in:
Siavash Sameni
2026-05-24 09:13:34 +04:00
parent 393bb17c2e
commit b84abb4d75
4 changed files with 956 additions and 0 deletions

View File

@@ -0,0 +1,11 @@
# Amanat Taskmaster share site
Static Vercel share page for the docs-side Taskmaster queue.
Generated from `../.taskmaster/tasks/tasks.json`.
Files:
- `index.html`: readable task dashboard
- `tasks.json`: raw task data for developers/agents
- `vercel.json`: static deployment config

549
taskmaster-share/index.html Normal file
View File

@@ -0,0 +1,549 @@
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8" />
<meta name="viewport" content="width=device-width, initial-scale=1" />
<title>Amanat Taskmaster Queue</title>
<style>
:root {
--ink: #172018;
--muted: #667064;
--paper: #fbf6e8;
--panel: #fffdf5;
--line: #ded5bd;
--green: #1c7c54;
--amber: #b7791f;
--red: #b42318;
--blue: #245b84;
--shadow: 0 18px 60px rgba(39, 32, 18, 0.14);
}
* { box-sizing: border-box; }
body {
margin: 0;
font-family: ui-serif, Georgia, Cambria, "Times New Roman", serif;
color: var(--ink);
background:
radial-gradient(circle at 15% 10%, rgba(28, 124, 84, 0.18), transparent 28rem),
radial-gradient(circle at 90% 5%, rgba(183, 121, 31, 0.16), transparent 24rem),
linear-gradient(135deg, #f7efd9 0%, #fbf6e8 48%, #edf4ea 100%);
min-height: 100vh;
}
header {
padding: 48px clamp(18px, 4vw, 64px) 28px;
border-bottom: 1px solid rgba(80, 67, 41, 0.18);
}
.hero {
max-width: 1180px;
margin: 0 auto;
display: grid;
grid-template-columns: minmax(0, 1.3fr) minmax(280px, 0.7fr);
gap: 28px;
align-items: end;
}
h1 {
font-size: clamp(2.4rem, 6vw, 5.8rem);
line-height: 0.9;
letter-spacing: -0.06em;
margin: 0;
}
.lead {
color: var(--muted);
font-size: 1.1rem;
max-width: 760px;
line-height: 1.65;
margin: 22px 0 0;
}
.stats {
display: grid;
grid-template-columns: repeat(2, minmax(0, 1fr));
gap: 12px;
}
.stat {
background: rgba(255, 253, 245, 0.78);
border: 1px solid var(--line);
border-radius: 22px;
padding: 18px;
box-shadow: var(--shadow);
}
.stat strong { display: block; font-size: 2.1rem; line-height: 1; }
.stat span { color: var(--muted); font-size: 0.9rem; }
main {
max-width: 1180px;
margin: 0 auto;
padding: 28px clamp(18px, 4vw, 64px) 64px;
}
.toolbar {
display: flex;
gap: 12px;
flex-wrap: wrap;
align-items: center;
margin-bottom: 22px;
}
input, select, a.button {
border: 1px solid var(--line);
background: rgba(255, 253, 245, 0.86);
border-radius: 999px;
padding: 12px 16px;
color: var(--ink);
font: inherit;
text-decoration: none;
}
input { min-width: min(100%, 360px); flex: 1; }
.task {
background: rgba(255, 253, 245, 0.9);
border: 1px solid var(--line);
border-radius: 30px;
padding: clamp(20px, 3vw, 32px);
box-shadow: var(--shadow);
margin: 18px 0;
}
.task-head, .subtask-top {
display: flex;
justify-content: space-between;
gap: 16px;
align-items: flex-start;
}
.eyebrow {
color: var(--green);
font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
margin: 0 0 6px;
text-transform: uppercase;
letter-spacing: 0.12em;
font-size: 0.78rem;
}
h2 { font-size: clamp(1.45rem, 3vw, 2.4rem); line-height: 1; margin: 0; letter-spacing: -0.035em; }
h3 { margin: 24px 0 10px; }
.desc, details p, .subtask p { color: var(--muted); line-height: 1.55; }
details {
border-top: 1px solid var(--line);
border-bottom: 1px solid var(--line);
padding: 14px 0;
margin-top: 18px;
}
summary { cursor: pointer; color: var(--blue); font-weight: 700; }
.badges { display: flex; gap: 8px; flex-wrap: wrap; justify-content: flex-end; }
.badge {
display: inline-flex;
align-items: center;
border-radius: 999px;
padding: 5px 10px;
font: 700 0.78rem/1 ui-monospace, SFMono-Regular, Menlo, monospace;
background: #ece5d2;
color: var(--ink);
margin-left: 6px;
white-space: nowrap;
}
.done { background: rgba(28, 124, 84, 0.13); color: var(--green); }
.pending { background: rgba(183, 121, 31, 0.14); color: var(--amber); }
.in-progress { background: rgba(36, 91, 132, 0.13); color: var(--blue); }
.blocked, .critical { background: rgba(180, 35, 24, 0.12); color: var(--red); }
.priority-high { background: rgba(180, 35, 24, 0.12); color: var(--red); }
.priority-medium { background: rgba(183, 121, 31, 0.14); color: var(--amber); }
.priority-low { background: rgba(102, 112, 100, 0.12); color: var(--muted); }
.subtasks { list-style: none; padding: 0; margin: 0; display: grid; gap: 10px; }
.subtask {
border: 1px solid rgba(80, 67, 41, 0.16);
border-radius: 18px;
padding: 14px;
background: rgba(247, 239, 217, 0.48);
}
.sub-id {
font-family: ui-monospace, SFMono-Regular, Menlo, monospace;
color: var(--green);
font-weight: 800;
min-width: 42px;
}
.deps { font-size: 0.9rem; color: var(--blue) !important; }
footer { color: var(--muted); text-align: center; padding: 30px; }
@media (max-width: 760px) {
.hero { grid-template-columns: 1fr; }
.stats { grid-template-columns: repeat(2, 1fr); }
.task-head, .subtask-top { flex-direction: column; }
.badges { justify-content: flex-start; }
}
</style>
</head>
<body>
<header>
<section class="hero">
<div>
<p class="eyebrow">Amanat docs · Taskmaster</p>
<h1>Developer task queue</h1>
<p class="lead">A shareable static view of the docs-side Taskmaster queue generated from the PRDs and latest backend security/refactor audit. Use this page for planning; use Taskmaster CLI for status updates.</p>
</div>
<aside class="stats">
<div class="stat"><strong>4</strong><span>parent tasks</span></div>
<div class="stat"><strong>26</strong><span>subtasks</span></div>
<div class="stat"><strong>26</strong><span>pending items</span></div>
<div class="stat"><strong>4</strong><span>done items</span></div>
</aside>
</section>
</header>
<main>
<div class="toolbar">
<input id="search" type="search" placeholder="Search tasks, subtasks, PRDs..." />
<select id="status"><option value="">All statuses</option><option>pending</option><option>done</option><option>in-progress</option><option>blocked</option></select>
<select id="priority"><option value="">All priorities</option><option>high</option><option>medium</option><option>low</option></select>
<a class="button" href="tasks.json">Raw JSON</a>
</div>
<section id="tasks">
<article class="task" data-status="pending" data-priority="high">
<div class="task-head">
<div>
<p class="eyebrow">Task 2</p>
<h2>Implement platform audit remediation plan</h2>
</div>
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
</div>
<p class="desc">Address the code-backed security and consistency issues identified in the 2026-05-24 platform audit remediation PRD.</p>
<details>
<summary>Details and test strategy</summary>
<p>Source PRD: .taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md. Target backend hardening first, then documentation/runtime alignment. Delivery order suggested by PRD: security/auth, rate limiting, passkeys, Web3 verification, socket hardening, dispute hold controls, docs/API alignment.</p>
<p><strong>Test strategy:</strong> Add focused regression tests for route auth/ownership, passkey challenge/verification, Web3 verification semantics, socket authorization, rate limiting tiers, and payout/release dispute holds. Update API docs after behavior is implemented.</p>
</details>
<h3>Subtasks (7)</h3>
<ul class="subtasks">
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">2.1</span>
<strong>Secure unauthenticated endpoints and owner enforcement</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes.</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">2.2</span>
<strong>Re-enable and scope rate limiting</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Restore global and route-tiered rate limits for public-sensitive paths.</p>
<p class="deps">Depends on: 2.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">2.3</span>
<strong>Replace stubbed passkey/WebAuthn flow</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Implement production-grade WebAuthn registration/authentication and shared challenge storage.</p>
<p class="deps">Depends on: 2.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">2.4</span>
<strong>Strengthen DePay/Web3 payment verification</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Verify transaction recipient, token contract, and amount, not only receipt success.</p>
<p class="deps">Depends on: 2.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">2.5</span>
<strong>Lock Socket.IO room joins to authenticated context</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Remove trust in client-supplied user/buyer/seller room IDs.</p>
<p class="deps">Depends on: 2.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">2.6</span>
<strong>Enforce dispute hold before payout and release operations</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Add payment hold state and central release/refund guards that block disputed funds.</p>
<p class="deps">Depends on: 2.1, 2.4</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">2.7</span>
<strong>Align documentation, API references, and runtime enums</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Normalize disputed/payment/request status docs and implementation references after security behavior changes.</p>
<p class="deps">Depends on: 2.1, 2.2, 2.3, 2.4, 2.5, 2.6</p>
</li></ul>
</article>
<article class="task" data-status="pending" data-priority="high">
<div class="task-head">
<div>
<p class="eyebrow">Task 3</p>
<h2>Migrate payment architecture toward Request Network and internal funds management</h2>
</div>
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
</div>
<p class="desc">Plan and implement provider-neutral payment flows, Request Network pay-in support, funds ledger, webhook reconciliation, release/refund orchestration, UI migration, and SHKeeper decommissioning.</p>
<details>
<summary>Details and test strategy</summary>
<p>Source PRD: .taskmaster/docs/prd-request-network-migration-and-funds-management.md. The PRD recommends phased migration behind a provider adapter, Secure Payment Pages first, platform-controlled escrow/payee destination, and a first-class internal funds ledger before release/refund enforcement.</p>
<p><strong>Test strategy:</strong> Use feature flags, provider fixture tests, webhook signature/idempotency tests, ledger invariant tests, migration dry-run reports, and limited cohort rollout before default provider switch.</p>
<p><strong>Depends on:</strong> 2</p>
</details>
<h3>Subtasks (7)</h3>
<ul class="subtasks">
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">3.1</span>
<strong>Introduce provider-neutral payment adapter</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Decouple checkout, webhook, and payout flows from SHKeeper-specific routes and metadata.</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">3.2</span>
<strong>Implement Request Network pay-in integration</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Create Request Network payment requests or Secure Payment Pages for new checkout flows.</p>
<p class="deps">Depends on: 3.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">3.3</span>
<strong>Add funds ledger and escrow state machine</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Introduce internal funds accounting independent from provider metadata.</p>
<p class="deps">Depends on: 3.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">3.4</span>
<strong>Build Request Network webhook and reconciliation service</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Process signed Request Network events and repair missed webhook state through reconciliation.</p>
<p class="deps">Depends on: 3.2, 3.3</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">3.5</span>
<strong>Implement release, refund, and payout orchestration</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Replace SHKeeper payout tasks and simulated release with auditable transaction instruction and confirmation flows.</p>
<p class="deps">Depends on: 3.3, 3.4</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">3.6</span>
<strong>Migrate frontend checkout and admin payment UI</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Update buyer checkout, admin release, seller payout, and payment details for provider-neutral Request Network flows.</p>
<p class="deps">Depends on: 3.2, 3.3, 3.5</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">3.7</span>
<strong>Backfill legacy SHKeeper records and decommission provider-specific code</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Migrate historical SHKeeper payment metadata and safely remove legacy wallet monitor/webhook/payout paths after cutoff.</p>
<p class="deps">Depends on: 3.3, 3.4, 3.5, 3.6</p>
</li></ul>
</article>
<article class="task" data-status="pending" data-priority="high">
<div class="task-head">
<div>
<p class="eyebrow">Task 4</p>
<h2>Define backend security and refactor strategy from latest audit</h2>
</div>
<div class="badges"><span class="badge pending">pending</span><span class="badge priority-high">high</span></div>
</div>
<p class="desc">Convert the backend stack security/refactor assessment into concrete architecture decisions, documentation deliverables, and developer handoff criteria.</p>
<details>
<summary>Details and test strategy</summary>
<p>Source audit: .taskmaster/docs/audit-backend-stack-security-and-refactor-assessment-2026-05-24.md. This task is advisory/architecture-focused and should run in parallel with immediate hardening. It should produce the decision artifacts needed before any backend-core rewrite or provider migration is started.</p>
<p><strong>Test strategy:</strong> Review and sign off each architecture document with backend, payments, frontend, and operations stakeholders. Confirm every open question has an owner or explicit deferred decision before implementation work begins.</p>
</details>
<h3>Subtasks (9)</h3>
<ul class="subtasks">
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.1</span>
<strong>Assign security ownership and launch decision criteria</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Define who owns security decisions and what must be true before public launch or migration work proceeds.</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.2</span>
<strong>Produce threat model for escrow platform</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Document protected assets, actors, trust boundaries, and abuse cases for the financial marketplace.</p>
<p class="deps">Depends on: 4.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.3</span>
<strong>Specify funds ledger and escrow state machine</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Define canonical money movement and legal state transitions before refactor or provider migration.</p>
<p class="deps">Depends on: 4.2</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.4</span>
<strong>Create authorization matrix for REST and Socket.IO</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Map every endpoint and realtime event to access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement.</p>
<p class="deps">Depends on: 4.2</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.5</span>
<strong>Decide session, passkey, and admin step-up architecture</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Choose browser session model and high-risk admin authentication requirements.</p>
<p class="deps">Depends on: 4.2</p>
</li>
<li class="subtask" data-status="pending" data-priority="high">
<div class="subtask-top">
<span class="sub-id">4.6</span>
<strong>Specify webhook security and provider adapter contracts</strong>
<span class="badge pending">pending</span>
<span class="badge priority-high">high</span>
</div>
<p>Define provider-neutral payment interface and signed webhook processing rules.</p>
<p class="deps">Depends on: 4.3</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">4.7</span>
<strong>Define secure build and supply-chain policy</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Reduce npm/dependency compromise risk across frontend and any remaining Node services.</p>
<p class="deps">Depends on: 4.1</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">4.8</span>
<strong>Make backend-core stack decision</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Choose whether the security-critical backend core remains TypeScript or moves to Go/Kotlin/Rust/Python.</p>
<p class="deps">Depends on: 4.2, 4.3, 4.4, 4.5, 4.6, 4.7</p>
</li>
<li class="subtask" data-status="pending" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">4.9</span>
<strong>Create migration and operational runbooks</strong>
<span class="badge pending">pending</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Document rollout, rollback, and incident response for the selected backend/funds architecture.</p>
<p class="deps">Depends on: 4.8</p>
</li></ul>
</article>
<article class="task" data-status="done" data-priority="medium">
<div class="task-head">
<div>
<p class="eyebrow">Task 1</p>
<h2>Stabilize Mermaid diagram rendering across documentation vault</h2>
</div>
<div class="badges"><span class="badge done">done</span><span class="badge priority-medium">medium</span></div>
</div>
<p class="desc">Correct Mermaid syntax/rendering issues across the documentation vault and validate all Mermaid blocks.</p>
<details>
<summary>Details and test strategy</summary>
<p>Source PRD: .taskmaster/docs/prd-mermaid-diagram-rendering-stabilization.md. Scope covered 57 Mermaid blocks and 11 failing blocks. The source PRD records that all targeted files now pass mmdc parse validation and the full vault sweep passes.</p>
<p><strong>Test strategy:</strong> Run the same mmdc-based syntax validation across all Markdown Mermaid blocks and confirm zero parser failures in Obsidian/markdown previews.</p>
</details>
<h3>Subtasks (3)</h3>
<ul class="subtasks">
<li class="subtask" data-status="done" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">1.1</span>
<strong>Fix Security Architecture email/password sequence</strong>
<span class="badge done">done</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Normalize parser-sensitive sequence text in 01 - Architecture/Security Architecture.md.</p>
</li>
<li class="subtask" data-status="done" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">1.2</span>
<strong>Fix authentication login and refresh diagrams</strong>
<span class="badge done">done</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Normalize parser-sensitive token and refresh-token sequence text in Authentication Flow.</p>
</li>
<li class="subtask" data-status="done" data-priority="medium">
<div class="subtask-top">
<span class="sub-id">1.3</span>
<strong>Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams</strong>
<span class="badge done">done</span>
<span class="badge priority-medium">medium</span>
</div>
<p>Clean the remaining Mermaid sequence diagrams with invalid or ambiguous syntax.</p>
</li></ul>
</article></section>
</main>
<footer>Generated from <code>.taskmaster/tasks/tasks.json</code>. Last docs update: 2026-05-24T00:00:00.000Z</footer>
<script>
const search = document.querySelector('#search');
const status = document.querySelector('#status');
const priority = document.querySelector('#priority');
const cards = [...document.querySelectorAll('.task')];
function applyFilters() {
const q = search.value.trim().toLowerCase();
const s = status.value;
const p = priority.value;
for (const card of cards) {
const text = card.innerText.toLowerCase();
const statusMatch = !s || card.dataset.status === s || [...card.querySelectorAll('.subtask')].some((el) => el.dataset.status === s);
const priorityMatch = !p || card.dataset.priority === p || [...card.querySelectorAll('.subtask')].some((el) => el.dataset.priority === p);
const searchMatch = !q || text.includes(q);
card.style.display = statusMatch && priorityMatch && searchMatch ? '' : 'none';
}
}
search.addEventListener('input', applyFilters);
status.addEventListener('change', applyFilters);
priority.addEventListener('change', applyFilters);
</script>
</body>
</html>

384
taskmaster-share/tasks.json Normal file
View File

@@ -0,0 +1,384 @@
{
"metadata": {
"projectName": "Amanat Documentation PRDs",
"created": "2026-05-24T00:00:00.000Z",
"updated": "2026-05-24T00:00:00.000Z",
"description": "Taskmaster task queue generated from docs-side PRDs for developer sharing.",
"sourcePrds": [
".taskmaster/docs/prd-mermaid-diagram-rendering-stabilization.md",
".taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md",
".taskmaster/docs/prd-request-network-migration-and-funds-management.md",
".taskmaster/docs/audit-backend-stack-security-and-refactor-assessment-2026-05-24.md"
]
},
"tasks": [
{
"id": 1,
"title": "Stabilize Mermaid diagram rendering across documentation vault",
"description": "Correct Mermaid syntax/rendering issues across the documentation vault and validate all Mermaid blocks.",
"details": "Source PRD: .taskmaster/docs/prd-mermaid-diagram-rendering-stabilization.md. Scope covered 57 Mermaid blocks and 11 failing blocks. The source PRD records that all targeted files now pass mmdc parse validation and the full vault sweep passes.",
"testStrategy": "Run the same mmdc-based syntax validation across all Markdown Mermaid blocks and confirm zero parser failures in Obsidian/markdown previews.",
"priority": "medium",
"status": "done",
"dependencies": [],
"subtasks": [
{
"id": 1,
"title": "Fix Security Architecture email/password sequence",
"description": "Normalize parser-sensitive sequence text in 01 - Architecture/Security Architecture.md.",
"details": "Avoid semicolons and ambiguous inline punctuation in sequence messages.",
"status": "done",
"priority": "medium",
"dependencies": [],
"testStrategy": "mmdc parse for the specific block."
},
{
"id": 2,
"title": "Fix authentication login and refresh diagrams",
"description": "Normalize parser-sensitive token and refresh-token sequence text in Authentication Flow.",
"details": "Split method-like or expression-like message text into parser-safe plain text lines.",
"status": "done",
"priority": "medium",
"dependencies": [],
"testStrategy": "mmdc parse for both Authentication Flow blocks."
},
{
"id": 3,
"title": "Fix chat, delivery, dispute, OAuth, purchase request, referral, registration, and seller-offer diagrams",
"description": "Clean the remaining Mermaid sequence diagrams with invalid or ambiguous syntax.",
"details": "Split multi-recipient arrows, remove parser-conflicting semicolon/expression text, and keep intent unchanged.",
"status": "done",
"priority": "medium",
"dependencies": [],
"testStrategy": "Full vault mmdc parser sweep across all Mermaid blocks."
}
]
},
{
"id": 2,
"title": "Implement platform audit remediation plan",
"description": "Address the code-backed security and consistency issues identified in the 2026-05-24 platform audit remediation PRD.",
"details": "Source PRD: .taskmaster/docs/prd-platform-audit-remediation-plan-2026-05-24.md. Target backend hardening first, then documentation/runtime alignment. Delivery order suggested by PRD: security/auth, rate limiting, passkeys, Web3 verification, socket hardening, dispute hold controls, docs/API alignment.",
"testStrategy": "Add focused regression tests for route auth/ownership, passkey challenge/verification, Web3 verification semantics, socket authorization, rate limiting tiers, and payout/release dispute holds. Update API docs after behavior is implemented.",
"priority": "high",
"status": "pending",
"dependencies": [],
"subtasks": [
{
"id": 1,
"title": "Secure unauthenticated endpoints and owner enforcement",
"description": "Require authenticateToken and owner/admin checks on exposed payment, AI, and legacy notification routes.",
"details": "Derive notification userId from authenticated principal. Protect payment history and mutation endpoints. Restrict AI calls to authenticated users with per-user budgets. Add denied-access audit logs.",
"status": "pending",
"priority": "high",
"dependencies": [],
"testStrategy": "Unauthorized callers receive 401/403; users cannot access or mutate other users' payments/notifications; admins retain authorized access."
},
{
"id": 2,
"title": "Re-enable and scope rate limiting",
"description": "Restore global and route-tiered rate limits for public-sensitive paths.",
"details": "Use stricter limits for auth, financial, AI, file upload, and verification paths. Keep public reads at relaxed limits. Add observability for 429 spikes.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Exercise configured limits per tier and confirm expected 429 responses without blocking ordinary reads."
},
{
"id": 3,
"title": "Replace stubbed passkey/WebAuthn flow",
"description": "Implement production-grade WebAuthn registration/authentication and shared challenge storage.",
"details": "Use real attestation/assertion verification, Redis-backed TTL challenges, refresh-token persistence/rotation, and deterministic malformed/reused/expired challenge errors.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Registration, login, replay, expired challenge, and refresh-token continuity tests pass."
},
{
"id": 4,
"title": "Strengthen DePay/Web3 payment verification",
"description": "Verify transaction recipient, token contract, and amount, not only receipt success.",
"details": "Decode ERC-20 Transfer logs, compare recipient against escrow address, validate token contract and decimals-adjusted minimum amount, store verifier evidence and idempotency fingerprint.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Reject successful but wrong-recipient/wrong-token/underpaid tx hashes; accept only matching transfers."
},
{
"id": 5,
"title": "Lock Socket.IO room joins to authenticated context",
"description": "Remove trust in client-supplied user/buyer/seller room IDs.",
"details": "Validate socket handshake token, derive server-side room membership, reject mismatched joins, and monitor suspicious join attempts.",
"status": "pending",
"priority": "medium",
"dependencies": [
1
],
"testStrategy": "A user cannot subscribe to another user's rooms; legitimate realtime notifications still arrive."
},
{
"id": 6,
"title": "Enforce dispute hold before payout and release operations",
"description": "Add payment hold state and central release/refund guards that block disputed funds.",
"details": "Introduce explicit dispute hold fields or state, enforce in PaymentCoordinator and payout/release services, return clear 409/423 responses, and backfill/report blocked payments.",
"status": "pending",
"priority": "medium",
"dependencies": [
1,
4
],
"testStrategy": "Open dispute blocks release/refund until resolved or explicitly overridden through authorized path."
},
{
"id": 7,
"title": "Align documentation, API references, and runtime enums",
"description": "Normalize disputed/payment/request status docs and implementation references after security behavior changes.",
"details": "Resolve mismatch around absent dispute module, endpoint names, status enums, and action names across Data Models, API Reference, and Flows.",
"status": "pending",
"priority": "medium",
"dependencies": [
1,
2,
3,
4,
5,
6
],
"testStrategy": "Docs match implemented routes, models, enum values, and state transitions."
}
]
},
{
"id": 3,
"title": "Migrate payment architecture toward Request Network and internal funds management",
"description": "Plan and implement provider-neutral payment flows, Request Network pay-in support, funds ledger, webhook reconciliation, release/refund orchestration, UI migration, and SHKeeper decommissioning.",
"details": "Source PRD: .taskmaster/docs/prd-request-network-migration-and-funds-management.md. The PRD recommends phased migration behind a provider adapter, Secure Payment Pages first, platform-controlled escrow/payee destination, and a first-class internal funds ledger before release/refund enforcement.",
"testStrategy": "Use feature flags, provider fixture tests, webhook signature/idempotency tests, ledger invariant tests, migration dry-run reports, and limited cohort rollout before default provider switch.",
"priority": "high",
"status": "pending",
"dependencies": [
2
],
"subtasks": [
{
"id": 1,
"title": "Introduce provider-neutral payment adapter",
"description": "Decouple checkout, webhook, and payout flows from SHKeeper-specific routes and metadata.",
"details": "Define createPayInIntent, getPayInStatus, handleProviderWebhook, createHostedPaymentLink, createReleaseInstruction, createRefundInstruction, getPayoutStatus, and searchProviderPayments. Add provider values shkeeper, request_network, manual, admin_wallet and PAYMENT_PROVIDER feature flag.",
"status": "pending",
"priority": "high",
"dependencies": [],
"testStrategy": "New provider can be selected by feature flag while existing SHKeeper payments remain readable and process late webhooks."
},
{
"id": 2,
"title": "Implement Request Network pay-in integration",
"description": "Create Request Network payment requests or Secure Payment Pages for new checkout flows.",
"details": "Store requestId, paymentReference, securePaymentUrl, token, merchantReference, network, invoiceCurrency, and paymentCurrency. Validate supported networks/currencies before creating links.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Buyer receives hosted payment URL; webhook reconciles matching internal payment only after amount/currency/reference validation."
},
{
"id": 3,
"title": "Add funds ledger and escrow state machine",
"description": "Introduce internal funds accounting independent from provider metadata.",
"details": "Add FundsAccount, LedgerEntry, derived FundsBalance, expected/held/releasable/releasing/released/refunded/disputed/failed states, fee representation, and release/refund invariant checks.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Every pay-in creates immutable ledger entries and payout/refund cannot exceed available held funds or bypass dispute holds."
},
{
"id": 4,
"title": "Build Request Network webhook and reconciliation service",
"description": "Process signed Request Network events and repair missed webhook state through reconciliation.",
"details": "Add /api/payment/request-network/webhook, verify raw-body x-request-network-signature, store delivery ID/retry/event/request/payment reference/payload hash, support test webhooks, and add scheduled payment search/status reconciliation.",
"status": "pending",
"priority": "high",
"dependencies": [
2,
3
],
"testStrategy": "Invalid signatures reject; duplicate delivery IDs acknowledge without duplicate ledger entries; reconciliation repairs missed state."
},
{
"id": 5,
"title": "Implement release, refund, and payout orchestration",
"description": "Replace SHKeeper payout tasks and simulated release with auditable transaction instruction and confirmation flows.",
"details": "Create release/refund service consuming ledger balances, generate Request Network payout or direct admin wallet instructions, store unsigned tx payloads, signer, submitted hash, confirmation status, provider status, and require admin/operator authorization plus dispute checks.",
"status": "pending",
"priority": "high",
"dependencies": [
3,
4
],
"testStrategy": "Release cannot occur if unpaid, already released, refunded, or disputed; tx hash confirmation updates ledger once; admin can retry/cancel safely."
},
{
"id": 6,
"title": "Migrate frontend checkout and admin payment UI",
"description": "Update buyer checkout, admin release, seller payout, and payment details for provider-neutral Request Network flows.",
"details": "Replace ShkeeperPayment with CryptoPayment/RequestNetworkPayment redirect flow, keep legacy SHKeeper only for legacy records, replace ShkeeperPayout with release queue/admin payout UI, and show provider IDs, payment references, hosted links, ledger balances, webhook/reconciliation status.",
"status": "pending",
"priority": "medium",
"dependencies": [
2,
3,
5
],
"testStrategy": "Request Network checkout does not expect walletAddress; admin UI blocks unsafe release; legacy labels are hidden for Request Network records."
},
{
"id": 7,
"title": "Backfill legacy SHKeeper records and decommission provider-specific code",
"description": "Migrate historical SHKeeper payment metadata and safely remove legacy wallet monitor/webhook/payout paths after cutoff.",
"details": "Backfill provider namespace, create ledger entries for trusted completed SHKeeper payments, mark legacyProvider, keep webhook tail period, and produce decommission checklist for env vars, docs, labels, routes, and runbooks.",
"status": "pending",
"priority": "medium",
"dependencies": [
3,
4,
5,
6
],
"testStrategy": "Dry-run report includes total, migrated, skipped, ambiguous, failed; no historical transaction hash/invoice/task metadata is lost."
}
]
},
{
"id": 4,
"title": "Define backend security and refactor strategy from latest audit",
"description": "Convert the backend stack security/refactor assessment into concrete architecture decisions, documentation deliverables, and developer handoff criteria.",
"details": "Source audit: .taskmaster/docs/audit-backend-stack-security-and-refactor-assessment-2026-05-24.md. This task is advisory/architecture-focused and should run in parallel with immediate hardening. It should produce the decision artifacts needed before any backend-core rewrite or provider migration is started.",
"testStrategy": "Review and sign off each architecture document with backend, payments, frontend, and operations stakeholders. Confirm every open question has an owner or explicit deferred decision before implementation work begins.",
"priority": "high",
"status": "pending",
"dependencies": [],
"subtasks": [
{
"id": 1,
"title": "Assign security ownership and launch decision criteria",
"description": "Define who owns security decisions and what must be true before public launch or migration work proceeds.",
"details": "Answer ownership questions from the audit: security owner, launch safety bar, whether launch prioritizes hardening or redesign, and whether external penetration testing is required.",
"status": "pending",
"priority": "high",
"dependencies": [],
"testStrategy": "Written owner/RACI and launch gate checklist are accepted by leadership and engineering."
},
{
"id": 2,
"title": "Produce threat model for escrow platform",
"description": "Document protected assets, actors, trust boundaries, and abuse cases for the financial marketplace.",
"details": "Include buyer, seller, admin, support, unauthenticated attacker, compromised user/admin, provider, malicious webhook sender, browser/backend/database/Redis/provider/wallet/Socket.IO trust boundaries, and abuse cases such as fake payment proof, replayed webhook, arbitrary room join, stolen token, double payout, dispute bypass, email abuse, and AI abuse.",
"status": "pending",
"priority": "high",
"dependencies": [
1
],
"testStrategy": "Threat model maps each high-risk finding to at least one mitigation task or accepted risk."
},
{
"id": 3,
"title": "Specify funds ledger and escrow state machine",
"description": "Define canonical money movement and legal state transitions before refactor or provider migration.",
"details": "Create specs for FundsAccount, LedgerEntry, FundsBalance, gross paid, provider fees, platform fees, held, disputed, releasable, released, refunded, idempotency keys, reconciliation behavior, purchase request states, payment states, escrow/funds states, dispute states, valid transitions, forbidden transitions, and release/refund/admin override preconditions.",
"status": "pending",
"priority": "high",
"dependencies": [
2
],
"testStrategy": "Spec can be used to reject double-release, release-during-dispute, underfunded payout, and ambiguous provider-event scenarios."
},
{
"id": 4,
"title": "Create authorization matrix for REST and Socket.IO",
"description": "Map every endpoint and realtime event to access level, ownership checks, state preconditions, rate-limit tier, and audit-log requirement.",
"details": "Include public/authenticated/owner/buyer/seller/admin/support/service-role classifications. Socket.IO rooms must be server-derived from authenticated identity, not client-supplied user IDs.",
"status": "pending",
"priority": "high",
"dependencies": [
2
],
"testStrategy": "No route or socket event remains unmapped; implementation tasks can reference matrix rows directly."
},
{
"id": 5,
"title": "Decide session, passkey, and admin step-up architecture",
"description": "Choose browser session model and high-risk admin authentication requirements.",
"details": "Decide localStorage versus httpOnly cookies, access/refresh token lifetimes, CSRF strategy, refresh rotation, WebAuthn requirements, OAuth requirements, device/session revocation, and whether payouts/role changes require step-up authentication or two-person approval.",
"status": "pending",
"priority": "high",
"dependencies": [
2
],
"testStrategy": "Decision record lists chosen model, rejected alternatives, migration cost, and required implementation tasks."
},
{
"id": 6,
"title": "Specify webhook security and provider adapter contracts",
"description": "Define provider-neutral payment interface and signed webhook processing rules.",
"details": "Document createPayInIntent, getPayInStatus, handleProviderWebhook, createHostedPaymentLink, createReleaseInstruction, createRefundInstruction, getPayoutStatus, searchProviderPayments, raw-body signature verification, replay prevention, delivery ID idempotency, duplicate/unknown event behavior, retry semantics, dead-letter/replay storage, and alert thresholds.",
"status": "pending",
"priority": "high",
"dependencies": [
3
],
"testStrategy": "Contracts cover SHKeeper legacy, Request Network, manual/admin wallet, invalid signatures, duplicate deliveries, and missed webhook reconciliation."
},
{
"id": 7,
"title": "Define secure build and supply-chain policy",
"description": "Reduce npm/dependency compromise risk across frontend and any remaining Node services.",
"details": "Specify package manager and lockfile policy, CI install mode, dependency update cadence, advisory monitoring, npm provenance/signature policy where available, secrets handling, reproducible production builds, and separation between frontend npm risk and backend-core risk.",
"status": "pending",
"priority": "medium",
"dependencies": [
1
],
"testStrategy": "Policy is actionable in CI and includes response steps for compromised package, leaked token, and vulnerable dependency alerts."
},
{
"id": 8,
"title": "Make backend-core stack decision",
"description": "Choose whether the security-critical backend core remains TypeScript or moves to Go/Kotlin/Rust/Python.",
"details": "Evaluate team capability, two-year maintainability, operational footprint, rewrite cost, dual-stack complexity, auditability, supply-chain exposure, and which modules belong in a payment/auth/escrow core versus the existing marketplace/chat API.",
"status": "pending",
"priority": "medium",
"dependencies": [
2,
3,
4,
5,
6,
7
],
"testStrategy": "Architecture decision record states chosen stack, scope of extraction, non-goals, migration phases, rollback criteria, and owners."
},
{
"id": 9,
"title": "Create migration and operational runbooks",
"description": "Document rollout, rollback, and incident response for the selected backend/funds architecture.",
"details": "Include SHKeeper legacy read path, provider feature flag, ledger backfill, validation report before enforcement, rollback criteria, webhook cutoff, manual reconciliation, failed webhook, duplicate/missing payment, stuck release, disputed release attempt, compromised admin, leaked API key, provider outage, chain/RPC outage, suspicious payment proof, and npm/package compromise.",
"status": "pending",
"priority": "medium",
"dependencies": [
8
],
"testStrategy": "Runbooks identify owner, trigger, detection signal, immediate action, recovery action, and post-incident documentation for each scenario."
}
]
}
]
}

View File

@@ -0,0 +1,12 @@
{
"cleanUrls": true,
"headers": [
{
"source": "/(.*)",
"headers": [
{ "key": "X-Content-Type-Options", "value": "nosniff" },
{ "key": "Referrer-Policy", "value": "strict-origin-when-cross-origin" }
]
}
]
}